• 0 Posts
  • 25 Comments
Joined 6 months ago
cake
Cake day: September 26th, 2024

help-circle


  • What you might call a stateful NAT is really a 1-1 NAT, anything going out picks up an IP and anything retuned to that IP is routed back to the single address behind the NAT. Most home users a many to one source nat so their internal devices pick up a routable IP and multiple connections to a given dest are tracked by a source port map to route return traffic to the appropriate internal host.

    Basically yes to what you said, but a port forward technically is a route map inbound to a mapped IP. You could have an ACL or firewall rule to control access to the NAT but in itself the forward isn’t a true firewall allow.

    Same basic result but if you trace a packet into a router without a port forward it’ll be dropped before egress rather than being truly blocked. I think where some of the contention lies is that routing between private nets you have something like:

    0.0.0.0/0 > 192.168.1.1 10.0.0.0/8 > 192.168.2.1

    The more specific route would send everything for 10.x to the .2 route and it would be relayed as the routing tables dictate from that device. So a NAT in that case isn’t a filter.

    From a routable address to non-route 1918 address as most would have from outside in though you can’t make that jump without a map (forward) into the local subnet.

    So maybe more appropriate to say a NAT ‘can’ act as a firewall, but only by virtue of losing the route rather than blocking it.


  • NAT in the sense used when people talk about at home is a source nat, or as we like to call it in the office space a hide address, everyone going to the adjacent net appears to be the same source IP and the system maintains a table of connections to correlate return traffic to.

    The other direction though, if you where on that upstream net and tried to target traffic towards the SNAT address above the router has no idea where to send it to unless there’s a map to designate where incoming connections need to be sent on the other side of the NAT so it ends up being dropped. I suppose in theory it could try and send it to everyone in the local side net, but if you get multiple responses everything is going to get hosed up.

    So from the perspective of session state initiation it can act as a firewall since without route maps it only will work from one side.






  • Indeed they do use 11x but it’s still a possibility to cause issues. It’s entirely possible to manage a fleet of IPs across a net but it takes a solid plan organization plan. My company is big on the acquiring companies game where IP overlaps are a perpetual challenge when merging sites in and you need a mess of snat/dnat conversions to keep routing from getting in a knot.


  • While handy on a personal net, on a larger corporate net this isn’t practical and even adds a security risk. By having servers request leases you run the chance that someone gets into a segment, funds the ARP association for an IP/MAC combo and can take over a server’s spot simply by spoofing their own MAC to match at the time of lease renewal.

    In the post above about setting a static address in two spots that in itself isn’t required either. So long as there are no duplicates you would just set the static address on the end device, then the network will sort it out with ARP ‘who has’ requests in local segments, or routing in the case of distinct subnets.

    Edit: the duplicate I suppose could be referring to putting names into a DNS registry, in which case yes you would need that double entry, or just reference things by IP if the environment is small enough for it to be practical.





  • That last part sounds like grand idea, and likely not too hard to do on the client side. Perhaps just a way to sort things by tagging a comm with some flag and all the ones with a specific flag show up in a custom feed. That way even if the names are not quite the same you could create these merged comms to read from.

    The hard part there would be posting, you would want some kind of easy way to send a new post to a specific one, but I can’t say having a ‘post to all’ would be a good idea, that sounds like a spam poster’s best friend.